First lesson: make sure your software is up to date! In
several articles over the past few months, I've repeated pointed out
that technology is evolving so rapidly that software is no longer really
a product. It is a service that you subscribe to
when you buy and install software on your computer. Remember: you
only bought the right to use that software. It still
belongs to whoever licensed it to you. Read the
End-User-License-Agreement. You are entitled to free
updates and bug fixes! In the case of Microsoft, this update
process is highly automated via Windows Update and Office Update.
All software and many hardware vendors have similar tools to ensure that
you have the latest possible fixes in your software. Besides
throwing away part of your investment when you fail to keep software
up-to-date, you forfeit much of your right to complain when things go
wrong!

You cannot honestly complain about weaknesses in the vendor's
software when you fall prey to a 2nd email virus if you never bothered
to update your software after the 1st! Of course, I'm referring to
the Melissa virus that lead to many updates being released over the last
9 months, most last fall.

As a student of Information Security, I assure you that the only reasonable
defense is an active defense. We cannot now and
probably never will design perfectly secure software. The only
real defense today is to detect and respond to attacks ASAP. A
very large part of that is the ability to field a security fix as
quickly as possible. Hence, programs like Windows Update, IBM
Connection, Oil Change, and many similar tools are very important
for security, let alone reliability, feature and ease-of-use
improvements.

It is very justifiable to be suspicious of bug fixes.
There is a history of bug fixes that introduce more bugs than
they fix. This is especially true when you
"mix-and-match" updates. You may very well think
you should only apply fixes that you clearly need. This was
a good recommendation back when change was limited by what you and your
users did. Now users are visiting websites at home and at work
that teach them to do ever more complex things with their computers,
exercising software in those systems in ways you'd never see in the old
days when user only knew the commands that the IT department taught
them! Now there is much more diversity in both the way the
computers are used and the programs stored in them. The reality is
that folks in your vendor's shop and in the leading users
world-wide are testing with all the latest fixes installed.
And the vendors releasing those fixes are generally testing with only
the top applications installed on their test systems. The
combinations of N products, each with M possible updates, configurable
in L different ways quickly leads to a probability that you find your
site's setup is totally unique and untested. This is
especially true if you only install "some" fixes to
"some" products. You are asking for trouble if
you don't keep in sync with the vendors.

The right answer for individual computer owners is to be no more than
a month or two behind. Protect yourself from "bad" bug
fixes by giving any new update a week or two "on the net"
before you install it. (Of course, this depends upon the
popularity of the product. The most popular products will be
shaken down by the user community faster than the rarely used
products.) For corporate sites of sufficient size and dependence
on software quality, your IT organization should have a "test
configuration" modeled after the configurations fielded
company-wide and and test suites that exercise the software by
performing the operations typical of your users. Updates should be
applied and tested quickly after they become available on the net.
Firmware (BIOS and devices), operating systems and application updates
should be tracked for all systems in your corporation. IE's
"subscription" feature is a nice way to have yourself notified
(by a "highlight" in your Favorites list) when a vendor site
updates it's download page with new patches. Windows Update and
Office Update also lets you check each PC to see exactly what Windows
and Office patches have been applied.

Now I know some readers will interpret the recommendations above as preaching
Microsoft's monopolistic garbage. Let me assure you I'm only
talking reality here. In an Ideal world, I'd prefer: a) all
software would be perfect; b) all vendors have an equal shot at
the market; c) all components should be interchangeable.
Reality, however, is there are natural monopolies that influence
our choices. Fish swim in schools for very practical
reasons. If you read the above recommendations carefully, you'll
note that my comments apply to ALL operating systems, applications and
firmware. All are subject to security flaws and all are in need of
maintenance. If your idealism calls for greater diversity in your
platforms, I recommend you structure your diversity so that whatever
platforms you choose, and on each type of platform, try to keep up with
bug fixes! If you think none are needed because you never hear
about problems with your vendor's software, be assured your time will
come or your vendor will go out of business. Be prepared.

Second lesson: Informed and warned users didn't fall for
this spoof. True, the virus took advantage of weaknesses of human
nature and a little knowledge about computers: a) we trust our
friends and this message appeared to be from someone we knew; b)
it had to do with love during the month of May; c) we ignore icons
and believe that anything that appears to end in TXT has to be a
"safe" file to open. I could have added that we get in
the habit of ignoring warning messages because we get far too many of
them.

The well trained corporate computer user knows that the workplace is
not the place to play with joke and "love message"
email. Would any insurance inspector be happy to see cartoons and
jokes plastered all over the lathe or milling machine in the
plant? The inspector would quickly point out that these
distractions were interfering with the safe and efficient operation of
the equipment. Cartoons, jokes and such belong on the bulletin
board in the break room, not on the shop floor. Your corporate
desktop is the information workers' shop floor! Safety
first!

Third lesson: Slow down! It is amazing to me how
many users set their email readers to send outgoing email
immediately. I highly recommend the option changes detailed last
Thursday. I've worked with these settings for most of a week now
and prefer the added control these options offer. Now my
mail does not leave my PC until I've prepared several outgoing message
and I'm ready to look for new mail. I've twice used the
opportunity to pull a message out of my outbox and make
improvements! Ah! No more email regret! And as
explained in that article, any future email virus I catch will not propagate
before I see its children in my outbox!

Correction... of sorts: In a previous article
I suggested that it was possible to spoof the icon displayed in
association with a given file, causing the icon to differ from the icon
assigned to the file type. Microsoft Security, however, assures me
that the association cannot be spoofed on a per file or per attachment
basis. Only Internet shortcuts have the property of
supporting local redefinition of the icon displayed. They argue
that the users should have noticed that the file 'LOVE-LETTER-FOR-YOU.TXT'
(with the .VBS hidden) was marked with a VBS icon, not a TXT icon.
Hence they claim it is not necessary to turn off the hiding of
extensions as I recommended.

I'll accept them on their word about per-file icon associations, but
remind everyone that Windows 98SE and lesser systems do not support file
protections. Hence, a Trojan Horse could modify the registry or
systems files so that ANY icon could be associated with ALL files of the
VBS type. Hence all VBS files would look like TXT files but
execute as VBS files. Likewise with EXE and any other executable
file on your system. Further, people simply cannot see
icons all that well and certainly don't enjoy memorizing all the
possible icons!

I still believe hiding file extensions is far too dangerous for what
you gain by having 4 less characters in your file names. So when
push comes to shove, I still recommend NOT hiding file extensions since
icons are only reliable in NT or better systems. I also believe
commercial-grade usage requires Windows NT/2000 (with NTFS, proper setup
and administration, etc.)

But everyone knows I'm biased in favor of security, so go ahead and
discount my opinion. Every CIO would rather save a few hundred
bucks per PC by ignoring his/her information security advisors until after
the virus strikes. Then he/she can request emergency funding and
blame the crisis on the vendor, the Internet, hackers, etc.
Warning! Worse viruses are on the way. The day when blaming
others lets you keep your job is going to pass. If your
business depends on computers connected to the Internet, invest in
proper security!